Skip to content Skip to sidebar Skip to footer
Seven Principles Solutions & Consulting GmbH
  • English
    • English
    • German
Seven Principles Solutions & Consulting GmbH
Close
Blog EMM

EMM in companies: Data protection, works council, and employee rights in focus

In many companies, the introduction of Enterprise Mobility Management (EMM) is a sensible measure to make mobile working safer and more efficient. However, companies repeatedly come up against internal hurdles during implementation, particularly due to concerns on the part of the works council. At the center of these concerns is often the worry about protecting employees’ privacy and the possible control functions that could be associated with an EMM system. This article sheds light on why EMM not only benefits the company but also the employees, how the co-determination rights of the workforce are safeguarded, and which technical and organisational measures (TOMs) ensure data protection.

Advantages of EMM for employees

An Enterprise Mobility Management system offers significant advantages not only to the company but also to employees, simplifying their everyday work lives. Here are some of the key benefits:

Data security

If a device is lost or stolen, an EMM system enables sensitive company data to be deleted quickly and securely. This not only protects the company but also shields employees from unpleasant situations when private devices (BYOD) are used in a work context.

Increased flexibility

EMM allows employees to work securely from anywhere. Whether at home, on business trips, or in a café, secure access and encryption mean company resources can be used without risk. This results in greater flexibility and fewer restrictions.

Separation of professional and private data

A well-implemented EMM makes it possible to cleanly separate professional and private data on one device (keyword “container solutions”). This ensures employees that their private data remains beyond the company’s control or monitoring.

Fast IT support

Issues with mobile devices can often be resolved quickly and easily via remote access, without the employee needing to bring the device to the IT department. This saves time and reduces stress.

Employee co-determination rights

One of the key aspects of introducing EMM is the involvement of the works council. This co-determination process provides employees with a crucial opportunity to actively safeguard their data protection rights.

Company agreement as a protective instrument

In many companies, a company agreement is concluded between the employer and the works council, which precisely regulates the use of an EMM system. This agreement sets clear limits on what data may be collected, how it is processed, and who has access to it. This ensures that the EMM system is not perceived as a “surveillance tool.”

Transparency and education

Employees have the right to receive clear and comprehensive information about how an EMM system works and how it is used. This fosters transparency and trust. Open dialogue between the company and employees often alleviates many initial concerns.

Flexibility in adapting agreements

A company agreement is not a rigid construct. It can be adapted to meet employees’ needs and respond to evolving technological possibilities. This ensures data protection remains consistently strong.

What data does an EMM store and what does it not?

A prevalent misconception about EMM systems is the fear that they might serve as monitoring tools. To dispel these concerns, it is important to clearly explain what data is collected by an EMM and what is not.

Data stored by an EMM

An EMM system mainly collects security-relevant information to protect company data and resources. Typical data stored by an EMM includes:

  • Device information: Device type, operating system version, serial number, model, and technical specifications.
  • Software information: Details about installed and authorized apps and their versions.
  • Security status: Encryption status, jailbreak/root detection, status of security patches.
  • Network connections: Logs of connections to company resources, such as VPN usage.
  • Location data (optional): In certain cases, such as a lost device, location data may be recorded but strictly based on explicit employee consent and predefined guidelines.

Data not stored by an EMM

An EMM respects employees’ privacy and does not store any personal data. The following data is generally not recorded:

  • Personal communication: Emails, text messages, chat messages, and call histories remain private.
  • Private apps and their data: Private apps and their content (e.g., photos, social media, personal documents) are not monitored.
  • Browsing history: Private browser history is not tracked. Only access to company resources might be logged.
  • Private app usage: The frequency and nature of private app usage is outside the scope of EMM responsibilities.

This clear separation between private and business data is not only technically ensured by the EMM system but is often also part of the works agreement and data protection guidelines.

Technical and organisational measures (TOMs)

Another critical component in ensuring data protection is the implementation of technical and organisational measures (TOMs). These measures are legally required and play a central role in EMM introduction.

Technical measures

An EMM system must be configured to avoid unnecessary data collection and respect employees’ privacy. This includes encrypting data both on the device and during transmission. Access restrictions and a strict separation of private and professional areas are also technical measures that strengthen employee trust.

Organisational measures

In addition to technology, clear policies must define who within the company is authorized to access specific data, how long such data is retained, and when it is deleted. These measures are often developed and regularly reviewed in collaboration with the data protection officer and the works council.

DPA: Data protection of the EMM

Another essential tool for safeguarding data protection is the Data Processing Agreement (DPA), concluded between companies and external service providers in accordance with the General Data Protection Regulation (GDPR).

Order processing by third-party providers

EMM providers act as service providers on behalf of the company. To authorize these providers to process data, a DPA must be concluded. This agreement ensures the provider processes data solely for agreed purposes while adhering to strict data protection requirements.

Key components of a DPA

According to the GDPR, a DPA must address specific points to guarantee personal data protection:

  • Subject and duration of processing: This section defines which data will be processed and for what duration. It must clearly specify the type of personal data the processor receives and the timeframe during which they are authorized to process it.
  • Nature and purpose of processing: The DPA outlines the specific purposes for which the service provider processes the data, such as device management as part of EMM. The processor is strictly limited to using the data for the explicitly defined purposes.
  • Responsibilities and rights of the controller: The agreement must clearly delineate the rights of the company as the controller and the obligations of the service provider towards the company and the data subjects (employees).
  • Security measures (TOMs): The service provider is required to implement appropriate technical and organisational measures to ensure data protection. These may include encryption, access restrictions, backup procedures, and other safeguards.
  • Rules on data transfers: The agreement must clearly specify whether the processor uses subcontractors (sub-processors) and under what conditions they are granted access to the data. Sub-processors must adhere to the same stringent data protection requirements as the primary service provider.
  • Audit rights of the controller: The DPA must grant the company the right to verify the service provider’s compliance with data protection regulations. This includes the ability to conduct audits and inspections as needed.
  • Procedures for handling data breaches: The agreement must define the actions to be taken by the processor in the event of a data breach. This includes the obligation to promptly inform the company, enabling it to fulfill its reporting obligations under the GDPR.
  • Deletion or return of data: The agreement must specify what happens to personal data once processing is complete. The processor is required to either securely delete the data or return it safely to the company.

Data protection-compliant implementation

The DPA ensures that both the company and the EMM service provider comply with the provisions of the GDPR. This strengthens the trust of employees, as they can be sure that their data will not be misused or passed on.

Checklist: EMM introduction with works council

If your company has a works council and you want to introduce Enterprise Mobility Management, cooperation with the works council is crucial in order to create a data protection-compliant and employee-friendly solution. Here are the most important steps on how you should proceed:

  • Early involvement of the works council
     Get in touch with the works council at an early stage to discuss the project.
     Provide comprehensive information about the objectives and functions of the EMM system.
  • Information and education phase
     Share all relevant information: What data is collected, how it is processed, and what security measures are implemented.
     Organise training sessions or workshops to clarify questions and address concerns.
  • Development of a company agreement
    Work together with the works council on a company agreement that regulates the use of the EMM. The following points should be defined in the agreement:
     Which data may be collected and processed.
     Technical and organisational measures (TOMs) to protect employee data.
     Regulations on the separation of private and professional data on mobile devices.
     Control rights of the works council and transparency obligations towards employees.
  • Data protection through a DPA
     As external service providers are involved in the operation of the EMM, a data processing agreement (DPA) must be concluded with the contractor.
  • Transparency towards employees
     Clearly and comprehensively inform employees about the EMM system, its functionalities, and privacy safeguards. Allow questions and feedback.

Conclusion: EMM as an employee- and data protection-friendly solution

The introduction of Enterprise Mobility Management should not be misunderstood as a monitoring tool. Rather, it provides numerous advantages for companies and employees alike – from enhanced data security and greater flexibility to a clear separation of professional and private data.

Works agreements and technical and organisational measures effectively address concerns about privacy and control functions. Ultimately, everyone benefits: the company improves its IT infrastructure’s efficiency and security, while employees enjoy greater freedom and support for mobile work. Open dialogue and transparent regulations are key to a successful, data protection-compliant EMM introduction.

Get in touch!

Are you also looking for a mobile solution for your company? Find out more about 7P EMM and get in touch with us! Our experts will be happy to advise you.

Make an enquiry now!

You May Also Like

7 success criteria of an agile transformation
Agile Transformation, Agile Transformation, Blog
7 success criteria of an agile transformation
Agile Transformation, Agile Transformation, Blog, Blog
Agile mindset
Agile Transformation, Agile Transformation, Blog, Blog
Scrum vs. Kanban
+49 221 92 00 7-0